Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
DETAILED ACTION
This action is in response to applicant’s original submittal made on 10/08/2024. Claims 1-6 are pending.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a non-statutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 and 4 are rejected on the ground of non-statutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 12,113,831 and 831’ hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the following:
(18/909,882) A computer-implemented method for privilege assurance of enterprise computer network environments using lateral movement detection and prevention, the computer-implemented method comprising: collecting a plurality of session details for an authentication session for a user; checking the validity of the session details, using a stored session configuration; receiving additional session details; comparing the session details against a stored expected pattern to identify any mismatched data; revoking authentication credentials for the authentication session and generate an event log if invalid or mismatched information is identified; sending the event log to a graph engine; creating and storing a cyber-physical graph of the computer network using the event log, wherein the vertices represent directory access protocol objects and the edges represent relationships between those objects; performing a plurality of queries over time on the cyber-physical graph to identify a cyberattack parameter of interest; receiving results of the plurality of queries; analyzing the results to determine a plurality of high-risk hosts based on the number and value of user accounts associated with each object and its connections to neighboring objects; and creating and storing a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes; maps to (831’) A system for privilege assurance of enterprise computer network environments using lateral movement detection and prevention, comprising: a local session monitor comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a first computing device within a computer network operating a directory access protocol, wherein the first plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to: receive a first plurality of session-based details for an authentication session for a user; check the validity of the first plurality of session-based details, using a stored session configuration; log the first plurality of session-based details; receive a second plurality of session details; compare the first and second pluralities of session details against a stored expected pattern to identify any mismatched data; where invalid or mismatched information is identified in the first or second plurality of session-based details or in the comparison against a stored expected pattern, revoke authentication credentials for the authentication session and generate an event log indicating the particular session-based details that contain the invalid or mismatched information; send the event log to a graph engine; a graph engine comprising a second plurality of programming instructions stored in a memory of, and operating on a processor of, a second computing device, wherein the second plurality of programming instructions, when operating on the processor of the second computing device, cause the second computing device to: receive the event log; create and store a cyber-physical graph of the computer network using the event log, wherein the vertices of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects; perform a plurality of queries over time on the cyber-physical graph to identify a cyberattack parameter of interest; receive results of the plurality of queries; analyze the results to determine a plurality of high-risk hosts, the high-risk hosts being determined based on the number and value of user accounts associated with each object in the cyber-physical graph and its connections to neighboring objects; and create and store a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-6 are rejected under 35 U.S.C. 103 as being unpatentable over Goodsitt et al. (US Patent No. 10,263,996 and Goodsitt hereinafter) in view of Seiver et al. (US Patent Publication No. 2017/0078322 and Seiver hereinafter).
As to claims 1 and 4, Goodsitt teaches a computer-implemented method for privilege assurance of enterprise computer network environments using lateral movement detection and prevention, the computer-implemented method comprising:
collecting a plurality of session details for an authentication session for a user (i.e. …teaches in col. 2 lines 25-40 the following: “the remote computing device 104 can track and/or monitor a user's use of the online web service 106 over any number of sessions during which the user interacts with the online web service 106 through the user device 102. The sessions can each be separate or distinct sessions with each session beginning after the user participates in an authentication scheme for attempting to verify the identity of the user.”);
checking the validity of the session details, using a stored session configuration (i.e. …teaches in col. 5 lines 1-15 the following: “By monitoring a user's actions and/or flow through the online web service 106, for example over a number of discrete sessions with the online web service 106, the remote computing device 104 can develop or generate a model of a user's behavior or mannerism”);
receiving additional session details (i.e. …teaches in col. 5 lines 1-15 the following: “By monitoring a user's actions and/or flow through the online web service 106, for example over a number of discrete sessions with the online web service 106, the remote computing device 104 can develop or generate a model of a user's behavior or mannerism” …teaches in col. lines the following: “Further, the remote computing device 104 can develop a model of the user's flow through the website. In various embodiments, each discrete session can include activities by the user after authentication is verified until the user exits or logs off from the online web service 106. When the user logs on again, and is verified, a subsequent user interaction session can occur. After a certain number of discrete user interaction sessions, the model of user behavior and/or flow can be generated”.);
comparing the session details against a stored expected pattern to identify any mismatched data (i.e., …teaches in col. 5 lines 10-25 the following: “Once the model of user behavior and/or flow is generated, the remote computing device 104 can compare subsequent activity on the online web service 106 by the user to the model. When the user's activity deviates significantly from the model, the activity can be flagged.”);
revoking authentication credentials for the authentication session (i.e., …teaches in col. 16 lines 10-20 the following: “If a user at 708 is determined to be unauthorized, then at 712 the remote computing device 104 can determine to revoke access to the online web service 106 through the use of the credentials (e.g., user name and password or other authentication information/mechanism used by the online website service 106) associated with the user being monitored in the logic flow 700.”).
Goodsitt does not expressly teach:
and generate an event log if invalid or mismatched information is identified and sending the event log to a graph engine;
creating and storing a cyber-physical graph of the computer network using the event log,
wherein the vertices represent directory access protocol objects and the edges represent relationships between those objects;
performing a plurality of queries over time on the cyber-physical graph to identify a cyberattack parameter of interest;
receiving results of the plurality of queries;
analyzing the results to determine a plurality of high-risk hosts based on the number and value of user accounts associated with each object and its connections to neighboring objects;
and creating and storing a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes.
In this instance the examiner notes the teachings of prior art reference Seiver.
With regards to applicant’s claim limitation element of, “and generate an event log if invalid or mismatched information is identified sending the event log to a graph engine”, teaches in par. 0181 the following: “a graphical representation 942 of network devices mapped in a chart according to respective network device risk values as described in FIG. 9A. In some implementations, to illustrate the affect of the external event…”.
With regards to applicant’s claim limitation element of, “creating and storing a cyber-physical graph of the computer network using the event log”, teaches in par. 0181 the following: “a graphical representation 942 of network devices mapped in a chart according to respective network device risk values as described in FIG. 9A. In some implementations, to illustrate the affect of the external event,”.
With regards to applicant’s claim limitation element of, “wherein the vertices represent directory access protocol objects and the edges represent relationships between those objects”, teaches in par. 0054 the following: “Network topology refers generally to the relationship between various network devices, such as an indication of network devices and the connections between those network devices”. Further teaches in par. 0073 the following: “this representation is a graph 200A, e.g., a directed graph as illustrated in the example, which includes nodes each representing one or more network devices, which are connected to other nodes by edges representing logged communications and/or possible communication paths between nodes.”.
With regards to applicant’s claim limitation element of, “performing a plurality of queries over time on the cyber-physical graph to identify a cyberattack parameter of interest”, teaches in par. 0276 the following: “the user interface 1900 includes an option to search for a particular metric. The reviewing user can provide a search query (e.g., a natural language search query), which the system can receive and parse to determine a matching metric.”. Teaches in par. 0324 the following: “The system can determine aspects indicated in the natural language search query, and apply the aspects to the network risk map 2802. For example, the user can filter a network risk map according to network devices accessed by a particular user account, or user accounts transition to from the particular user account, to determine an effect that a compromise of the particular user account would have on the network. The user can further manipulate the time slider to specify one or more times at which the filters are to be applied, or can incorporate an indication of a time, or time period (e.g., within a prior working week), into a search query.”.
With regards to applicant’s claim limitation element of, “receiving results of the plurality of queries”, teaches in par. 0324 the following: “The system can determine aspects indicated in the natural language search query, and apply the aspects to the network risk map 2802. For example, the user can filter a network risk map according to network devices accessed by a particular user account, or user accounts transition to from the particular user account, to determine an effect that a compromise of the particular user account would have on the network. The user can further manipulate the time slider to specify one or more times at which the filters are to be applied, or can incorporate an indication of a time, or time period (e.g., within a prior working week), into a search query.”.
With regards to applicant’s claim limitation element of, “analyzing the results to determine a plurality of high-risk hosts based on the number and value of user accounts associated with each object and its connections to neighboring objects”, teaches in par. 0075 the following: “each node in the graph 200A is labeled with a High (“H”), Medium (“M”), or Low (“L”) compromise value. That is, the graph 200A provides an easy method of viewing nodes that need to be secured carefully, e.g., due to a node storing sensitive/valuable data associated with a High compromise value. In this way, a system administrator can identify high value nodes for which extra security precautions may be desirable. In securing a node, the risk assessment system 100 can overlay information on the graph 200A displaying nodes that a selected node has access to, e.g., can provide information to, or request information from. Overlaying information describing nodes a selected node has access to is described below,”. Teaches in par. 0078 the following: “the node 202 selected by the system administrator is highlighted with a darker border, and all nodes that can be reached by the selected node 202 are illustrated with broken lines. In other embodiments, other visualizations may be used to identity a selected node and accessible nodes, such as colors, highlighting, etc.”.
With regards to applicant’s claim limitation element of, “and creating and storing a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes”, teaches in par. 0144 and 0145 the following: “[0144] In some implementations, the system can provide an identification of the determined nodes to a system administrator using the system as an overlay of the graph identifying the network topology, such as in the example of FIG. 2D and as described further above with reference to block 408 of FIG. 4. For example, the system can shade or color the determined nodes as presented to the system administrator on the graph. In another example, the system can present the determined nodes with hatched lines, e.g., FIG. 2D, or can color the determined nodes differently than remaining nodes. [0145] In this example, the system determines compromise values of the determined nodes (block 704). For example, the system may determine compromise values for each node the user account, or node, is permitted to access. Determining a compromise value is described above, with reference to block 410 of FIG. 4.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Goodsitt with the teachings of Seiver by having their system comprise an enhanced network analysis process. One would have been motivated to do so to provide a simple and effective means to determine unauthorized network access, wherein the enhanced network analysis process helps facilitate proper network attack detection and makes it easier to isolate network cyber-attacks.
As to claims 2 and 5, the system of Goodsitt and Seiver as applied to claim 1 teaches credential management, specifically Goodsitt does not expressly teach a method of claim 1, wherein the session details comprise information about a user’s granted privilege levels.
In this instance the examiner notes the teachings of prior art reference Seiver.
Seiver teaches in par. 0055 the following: “information describing a level of access that a user account has within a network.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Goodsitt with the teachings of Seiver by having their system comprise an enhanced network analysis process. One would have been motivated to do so to provide a simple and effective means to determine unauthorized network access, wherein the enhanced network analysis process helps facilitate proper network attack detection and makes it easier to isolate network cyber-attacks.
As to claims 3 and 6, the system of Goodsitt and Seiver as applied to claim 1 teaches credential management, specifically Goodsitt teaches a method of claim 1, wherein the session details comprise historical user activity within the network (i.e., …teaches in col. 5 lines 10-25 the following: “Once the model of user behavior and/or flow is generated, the remote computing device 104 can compare subsequent activity on the online web service 106 by the user to the model. When the user's activity deviates significantly from the model, the activity can be flagged.”).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRYAN F WRIGHT/Examiner, Art Unit 2497